In this article ITC’s William Kilmer considers the biggest cyber security risk organisations face in keeping up with shifts in the current threat landscape.

The biggest cyber security risk organizations face is not a specific threat, but our ability to modernize our defensive approach to keep up with shifts in the current threat landscape. For example, for many years, organizations continued to focus on a perimeter defense approach long after it became clear that the adoption of laptops had shifted the threat to mobile devices. This happened again as infrastructure and software shifted to the cloud, opening another threat window. In each wave, organizations spend years trying to catch up.

The risk posed by third-parties, including suppliers, affiliates, partners, and contractors, has been brought increasingly into the spotlight by several high-profile companies who have experienced very public and notable breaches that were perpetrated through their partners. One of the largest was Target Corporation’s breach which occurred through an attack on an HVAC supplier that gave hackers direct access to Target through their supplier portal. The attack resulted in a leak of more than 60 million customer records and 40 million credit card numbers, resulting in over $18 million in lawsuit settlements, the resignation of the CEO, a nearly 50% drop in their operating profit, and an incalculable loss of customer confidence.

This type of attack through a third-party is increasingly more common as attackers take advantage of the weakest link to reach high-value targets. This often occurs by breaching a third-party as in Target’s case to get access to the primary target’s information assets.

However, the threat has recently become worse as vendors increasingly share data with partners. Companies such as Philips, Best Buy, and Netflix have had employee, customer information or intellectual property breached while in the possession of a third-party.

A 2017 Ponemon study underscored the magnitude of the problem, highlighting that 65% of all breaches now occur through third-parties. Fortunately, there is hope that organizations are shifting their attention to this threat: a recent survey states that 94% of companies recently expressed that they plan to increase their spending on third-party defenses.

Organizations generally identify third-party risk by periodically surveying their partners directly. While this is a good start, it only provides a static snapshot of the organization, and sifting through surveys is a long, manual process. It’s no wonder that 83% of IT managers say they lack confidence in their existing third-party risk management programme.

A more-effective approach to addressing third-party risk that provides better information to organizations without an accompanying high cost should include:

Prioritizing vendors and evaluating risk. First, organizations may have dozens or even hundreds of partners and will need to prioritize them based on risk. Start with a list of vendors and create a prioritized list based on an initial evaluation of their security posture, their importance to you, location, etc.

Understand infrastructure access and asset exchange. Pay particular attention to organizations which have access to your infrastructure, or with which you share confidential information or assets. Review not only the technology but also understand their policies and how well they follow and enforce them.

Integrate security and vendor procurement policies. Next, create your own governance around how you will review your third-parties, proper risk thresholds, and how you will address unmitigated risks. For example, define what is an acceptable risk and what isn’t, and what you will do if a company will not fix a security issue. Publish these policies and review ways to reinforce them contractually.

Make it an ongoing process. It’s important that you don’t simply take a snapshot of an organization’s security situation and instead create an ongoing process to monitor your third-party relationships and their security posture on a regular, even monthly, basis.

To facilitate the regular monitoring and mitigation of third-party risk, ITC Secure now offers a third-party risk management service that gives organizations the information they need about their partners and suppliers along with the ability to track risks over time. We provide an outsider view of your third-party partners, reviewing information and providing an objective security score for each vendor on a monthly basis. To further assist organizations, our third-party risk monitoring solution provides real-time alerting, detailed information on the potential risk, and information on how to address and remediate the issue with your vendor.

A weak-link approach to cyber security—identifying the organization’s highest vulnerabilities and fixing those first — would dictate that spending on third-party risk will provide a better return on investment than adding to existing cyber defenses elsewhere. With some forethought, logic, and planning an organization can effectively manage their third-party risk and catch up to the latest threat vector before it’s too late. If you would like to know more about our solution, contact our ITC Secure team today.

Day 2-4: We conduct a video interview to learn more about you, your background and skills. We’ll get back within 24 hours to invite successful candidates to attend face-to-face interviews.

Day 5-7: This is time allowed for you to prepare for your interview.

Day 8-10: Face-to-face interview. This’ll include a presentation based on a fictionalised version of something we’ve seen with clients. You’ll have 20 minutes to present your findings and recommendations. Then there’ll be 20 minutes for Q&A.

We’ll provide you with feedback within 24 hours and, if you’re successful, make you an offer of employment.

These targets are dependant on the candidate’s availability.

For other roles we still move quickly and aim to have everything agreed within 30 days.

Next>>

Office environment

The ITC headquarters is based in the heart of London’s Docklands, just two minutes walk from Crossharbour DLR station. We have secure, modern, open-plan offices, with an expansive view and a relaxed atmosphere.

Our monthly social get-togethers provide an opportunity for you to socialise and network with people from the various ITC teams, in a relaxed environment.

Next>>

Being a cyber advisor

If you know your NIST from your ISO27001, have a passion for all things cyber – from network architectures and patching, to cryptographic hashing and cipher functions – and are as comfortable discussing issues with a client as you are examining a threat landscape, then this could be the job for you.

It’ll involve:

Undertaking cyber security and due diligence reviews to assess an organisation’s cyber maturity and ascertain the safety of its suppliers and investments.

ITC Global Advisors is a unit that connects private sector innovation to global and national security challenges. It collaborates with government agencies, engages with the private sector, handles cyber crisis incidents and creates customised communication strategies.

We offer cyber security and information management as a service to large and mid-market clients, enabling them to protect their critical data assets across on-premises and cloud-based infrastructures. Our scalable and cost-effective solutions deliver comprehensive threat intelligence, detection, management and response.

Enquire

Contact us below to find out the benefits of our Firewall Governance Service.

Name (required)

Company

Your Email (required)

Tel

Enquire

Contact us below to find out how we utilise this service within our NetSure360º Managed Solutions.

Name (required)

Company

Your Email (required)

Tel

Enquire

Contact us below to find out how we utilise Cisco within our NetSure360º Managed Behavioural Analytics Solution.

Name (required)

Company

Your Email (required)

Tel

Enquire

Contact us below to find out how we utilise Cisco within our NetSure360º Managed Threat Intelligence Solution.

Name (required)

Company

Your Email (required)

Tel

Enquire

Contact us below to find out how we utilise Cisco within our NetSure360º Managed Firewall Solution.